b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Efforts to Update Aging Computer Hardware\n                  Are Underway, but Program Improvements\n                         Are Needed to Minimize Risks\n\n\n\n                                        November 6, 2007\n\n                              Reference Number: 2008-20-002\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                          November 6, 2007\n\n\n MEMORANDUM FOR CHIEF INFORMATION OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Efforts to Update Aging Computer Hardware Are\n                             Underway, but Program Improvements Are Needed to Minimize Risks\n                             (Audit # 200620021)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) implemented effective controls to identify and replace aging equipment components that\n could adversely affect its ability to meet its mission if the equipment components were to fail.\n This review is part of the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal\n Year 2007 Annual Audit Plan coverage under the major management challenge of Modernizing\n the IRS.\n\n Impact on the Taxpayer\n The IRS estimates it should spend $180 million annually to adequately maintain and replenish its\n computer hardware and has initiated several actions to address the risks associated with the aging\n computer hardware. However, the information used to estimate the size and effect of the aging\n computer hardware could be improved. The IRS established a goal to obtain increased resources\n to address the aging computer hardware as one of its highest priorities, but permanent program\n funding remains uncertain and a disciplined investment management governance process is\n needed for all infrastructure initiatives/activities. As a result, the IRS may not fund the highest\n priority projects to ensure investment decisions result in the most efficient use of available\n resources on behalf of taxpayers.\n\n Synopsis\n The IRS continues to emphasize that the core of tax administration processing relies heavily on\n critical systems designed in the 1960s, thereby hindering its ability to accomplish its mission and\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\nprovide better service to taxpayers due to the inherent limitations of these systems. The IRS also\nreports the risk to tax administration is significant because critical business systems are currently\noperating on aged computer hardware (i.e., hardware that has exceeded its useful life). At the\nbeginning of Fiscal Year 2006, the aged hardware was estimated to be valued at $276 million,\nwith an additional $161 million in hardware becoming aged during Fiscal Year 2006.\nThe IRS has initiated several actions to address the risks associated with the aging computer\nhardware issue. On September 28, 2006, it hired a contractor to develop a Sustaining\nInfrastructure Program, which is intended to provide a comprehensive approach to manage all\ninfrastructure requirements and establish a governance structure to prioritize competing\ninitiatives/activities (i.e., Infrastructure Roadmap, End of Life\nEquipment Replacement (Rust Replacement), and Security\nInfrastructure). The IRS is scheduled to complete                        Although the IRS has\nimplementation of the Sustaining Infrastructure Program in            initiated several actions to\nCalendar Year 2008. As a result, the IRS identified as one of       address the aging computer\n                                                                     hardware risks, the size and\nits highest budget priorities the need to obtain increased          effect of the aging computer\nresources to reverse the erosion of its basic computer               hardware issue is unknown\nhardware. Also, the Financial Management Services                       and the source(s) for a\norganization established a separate accounting code in Fiscal           permanent increase in\nYear 2007 to track funds spent to replace aging computer                 funding has not been\n                                                                               identified.\nhardware.\nThe Information Technology Asset Management System is\nthe primary control and official IRS computer equipment database used to record all computer\ninventories. In Fiscal Year 2005, the IRS analyzed Information Technology Asset Management\nSystem data to determine the size of the aging computer hardware inventory and the estimated\ncost to adequately maintain and replenish its computer hardware. Our review of the information\nused to estimate the size and effect of the aging computer hardware issue determined the\ninformation could be improved. For example, the estimated cost to maintain and replenish the\ncomputer hardware needs to be updated, and reported information technology problems and\nreduced enforcement revenue could not be linked to aged computer hardware. Also, because the\nIRS considered the effect of the SASSER worm1 to be related to aged hardware and software,\nunreliable information supporting the Fiscal Year 2007 budget request was reported to the Office\nof Management and Budget (see Appendix IV). While there is risk associated with the aging\ncomputer hardware, the data provided by the IRS should be improved to provide more complete\nand accurate management information related to the negative impact the aging infrastructure is\nhaving on tax administration. Therefore, management needs to improve its information systems\nand data collection methodology to help support the need for new equipment.\n\n\n1\n  A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on\na network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating\nexcessive network traffic and causing infected systems to become unusable due to constant rebooting.\n                                                                                                                  2\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\nThe IRS stated it would augment the current $45 million it was spending to address the aging\ncomputer hardware issue by reallocating an additional $45 million in each of Fiscal Years 2006\nthrough 2008 from savings achieved through program efficiencies. Our review of the Fiscal\nYear 2006 funds permanently reallocated to the computer hardware budget found the IRS was\nable to reallocate only $34 million instead of the reported $45 million. The IRS did exceed its\nFiscal Year 2006 target computer hardware budget, but this was accomplished by identifying\nother one-time funding sources such as a labor surplus. On June 18, 2007, IRS management\nadvised us they had permanently transferred $11 million from the Fiscal Year 2007\nModernization and Information Technology Services (MITS) organization budget to the\ncomputer hardware budget. In Fiscal Year 2007, the IRS used $45 million in user fees2 and\nenrolled agent fees3 to fund additional computer hardware needs. Realigning user fees to address\ncomputer hardware needs does not constitute a permanent increase in computer hardware\nfunding because user fee funds require annual reallocation.\nThe Infrastructure Executive Steering Committee was established to ensure the successful\nimplementation and integration of modernization projects and related program activities for the\nInfrastructure portfolio. Our review of the End of Life Equipment Replacement activity\ndetermined the MITS organization has not included expenditures from this activity as part of its\ninvestment governance process. MITS organization management advised us that several actions\nhave been taken to improve the discipline of the governance process over infrastructure\ninvestments.\nThe Government Performance and Results Act of 19934 was enacted by Congress to hold\nagencies accountable for achieving business results by requiring agencies to adopt performance\nmeasures to assess performance. The MITS organization has measures for asset management,\ncustomer satisfaction, incident management, and the enterprise service desk. The contractor\nassisting the IRS in developing its Sustaining Infrastructure Program has been assigned the task\nof formalizing a performance measurement process for the overall Sustaining Infrastructure\nProgram and the individual initiatives/activities. Management advised us that once the\nSustaining Infrastructure Program is implemented the MITS organization will have a process in\nplace to assess its efforts in addressing the aging computer hardware problem.\n\n\n\n\n2\n  User fees are charges individuals and businesses are required to pay for services such as installment agreements\nand photocopies.\n3\n  An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS. Enrolled\nagents pay fees for a test (if applicable) and program enrollment.\n4\n  Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and\n39 U.S.C.).\n                                                                                                                     3\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\nRecommendations\nWe recommended the Chief Information Officer (1) implement procedures to improve the\naccuracy and completeness of the inventory data and periodically prepare an updated aged\ncomputer hardware estimate, (2) improve the integration of asset/inventory management with\nincident and problem management so problems related to old computer hardware issues can be\nreadily identified and the IRS can report a more accurate assessment of the negative impact of\naging computer hardware, (3) permanently allocate the necessary funds within the MITS\norganization budget to maintain and replenish the aging computer hardware, (4) ensure the End\nof Life Equipment Replacement activity is included in the Infrastructure Executive Steering\nCommittee governance process, and (5) establish a performance measurement process providing\nperiodic monitoring and reporting of Sustaining Infrastructure Program accomplishment.\n\nResponse\nIRS management agreed with four of the five recommendations but did not agree with\nRecommendation 3. Management believes they cannot commit to permanently allocating funds\nin future years without fully understanding tax administration requirements and budget\nconstraints. However, they agreed that sustaining the information technology infrastructure is\none of their highest priorities and will realign the base budget whenever appropriate, subject to\navailability.\nThe IRS will identify and correct discrepancies in the Information Technology Asset\nManagement System data, implement processes to improve and maintain the accuracy of the\nInformation Technology Asset Management System data and produce quarterly estimates of the\naged computer hardware and current estimates of the replacement costs, develop a business case\nfor using a software tool to improve integration of asset/inventory management with incident and\nproblem management, provide oversight of the End of Life Equipment Replacement activity, and\nimplement outcome measures and a monitoring process to report on the IRS\xe2\x80\x99 progress in\nreducing its aged asset inventory. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix V.\n\nOffice of Audit Comment\nThe Chief Information Officer disagreed with our recommendation to permanently allocate funds\nwithin the MITS organization\xe2\x80\x99s budget to maintain and replenish the aging computer hardware\nbecause the Chief Information Officer cannot commit to permanently allocating funds in future\nyears without fully understanding tax administration requirements and budget constraints. We\ndisagree and believe the Chief Information Officer should honor the commitment made to the\nIRS Oversight Board on May 23, 2006, that the IRS would augment the current $45 million\nbeing spent on infrastructure by reallocating an additional $45 million from program efficiencies\n\n                                                                                                    4\n\x0c               Efforts to Update Aging Computer Hardware Are Underway, but\n                    Program Improvements Are Needed to Minimize Risks\n\n\n\nin Fiscal Years 2006 through 2008. In addition, the IRS reported in the Fiscal\nYear 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal\nYear 2006 information technology budget that permitted the permanent reallocation of\n$45 million to address the aging computer hardware issue. However, our review of the Fiscal\nYear 2006 funds permanently reallocated to the computer hardware budget found the IRS was\nable to permanently reallocate only $34 million instead of the reported $45 million.\nIn the IRS response to the draft report, management provided several comments that make\nincorrect inferences. The management comments and related Office of Audit Comments are\nprovided in appropriate sections of the report.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs), at\n(202) 622-8510.\n\n\n\n\n                                                                                              5\n\x0c                      Efforts to Update Aging Computer Hardware Are Underway, but\n                           Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Several Actions Have Been Taken to Address the Aging Computer\n          Hardware Issue..............................................................................................Page 3\n          Information Used to Estimate the Size and Effect of the Aging\n          Computer Hardware Could Be Improved .....................................................Page 4\n                    Recommendation 1:........................................................Page 10\n\n                    Recommendation 2:........................................................Page 11\n\n          Permanent Program Funding Remains Uncertain.........................................Page 12\n                    Recommendation 3:........................................................Page 13\n\n          A Disciplined Investment Management Governance Process Is Needed\n          for All Infrastructure Initiatives/Activities ...................................................Page 14\n                    Recommendation 4:........................................................Page 15\n\n          Performance Measures Are Needed to Assess the Success of Efforts to\n          Address the Aging Computer Hardware Issue..............................................Page 16\n                    Recommendation 5:........................................................Page 17\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 21\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 22\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................Page 23\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 24\n\x0c       Efforts to Update Aging Computer Hardware Are Underway, but\n            Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                      Abbreviations\n\nIRS             Internal Revenue Service\nMITS            Modernization and Information Technology Services\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                      Background\n\nThe Internal Revenue Service (IRS) continues to emphasize that the core of tax administration\nprocessing relies heavily on critical systems designed in the 1960s, thereby hindering its ability\nto accomplish its mission and provide better service to taxpayers due to the inherent limitations\nof these systems. At the same time, the IRS is faced with the challenge of keeping pace with the\ngrowing volume of electronic submissions, payments, and refund transactions, which will\ncontinue to place a greater demand on it to provide a modernized and secure information\ntechnology infrastructure (e.g., desktop computers, laptop computers, printers, servers, data\nstorage, and communications equipment). The IRS reports the risk to tax administration is\nsignificant because critical business systems are currently operating on aged computer hardware\n(i.e., hardware that has exceeded its useful life). With the amount of aged computer hardware\nincreasing every year, the IRS Commissioner testified to Congress on March 29, 2007, that\nfailing to replace the aged computer hardware will lead to increased maintenance costs and will\nincrease the risk of disruption to business operations. The IRS estimates more than 50 percent of\nthe laptop computers supporting Compliance organization employees are over-age and need\nreplacement, which has resulted in increased downtime,\nreduced ability to communicate effectively, and delays in\n                                                                    The IRS estimates it needs\nretrieving taxpayer data that are vital to daily compliance and        to spend $180 million\nenforcement activities.                                               annually to adequately\n                                                                   maintain and replenish its\nThe IRS identified as one of its highest budget priorities the        computer hardware.\nneed to obtain increased resources to reverse the erosion of its\nbasic computer hardware. In December 2003, the IRS\nreceived a consultant\xe2\x80\x99s analysis and findings from a\ncomparison of the IRS information technology investments in hardware to private sector\nbenchmark levels for equivalent financial services companies. The consultant\xe2\x80\x99s report did not\nstate a specific dollar amount the IRS should be investing in hardware, but IRS management\nadvised us that the consultant stated the IRS\xe2\x80\x99 investment in hardware was approximately\n$195 million below private sector benchmark levels. In 2005, the IRS validated the consultant\xe2\x80\x99s\nestimate and calculated it should be spending $180 million annually to adequately maintain and\nreplenish its computer hardware based on industry standards.\nThe IRS reported it was spending only about $45 million each year for this purpose and the gap\nin computer hardware replenishment spending had resulted in a significant amount of aged\nhardware that cannot adequately support its day-to-day business. To determine the amount of\naged computer hardware and the cost to replace it, the IRS established a refresh cycle by\nequipment category (e.g., servers, routers, and desktop computers) based on industry standards\nand an estimated replacement cost. For example, it considers the useful life of a laptop computer\nto be 3 years with a replacement cost of $2,150. It estimated the amount of aged computer\n\n                                                                                           Page 1\n\x0c                       Efforts to Update Aging Computer Hardware Are Underway, but\n                            Program Improvements Are Needed to Minimize Risks\n\n\n\nhardware at the beginning of Fiscal Year 2006 was $276 million based on the established\nequipment refresh cycles and associated replacement costs. Figure 1 provides a breakdown of\nthe aged computer hardware by equipment category at the beginning of Fiscal Year 2006.\n                              Figure 1: Backlog of Aged Computer Hardware\n                                   at the Beginning of Fiscal Year 2006\n\n                       $70\n\n                       $60\n\n                       $50\n\n                       $40\n     Millions\n\n\n\n\n                       $30\n\n                       $20\n\n                       $10\n\n                         $0\n                                                      s              m        ter\n                                                                                 s           s         rs         er s       r ag\n                                                                                                                                 e              es\n                                irin\n                                     g\n                                                 uter          y ste       pu           uter    r inte      Se\n                                                                                                               r v\n                                                                                                                           to              itch\n                            s/W              rib            S\n                                                                        om          om\n                                                                                      p        P                          S\n                                                                                                                                      s/S\n                                                                                                                                         w\n                        o n            D is t         g ing           C            C                               Da\n                                                                                                                       ta\n                                                                                                                                  e r\n                      ti           all              a              p\n                                                                              to p                                              ut\n                 nica            C               ess        e skto         a p                                              Ro\n               u               c              M                          L\n            mm           m at i        oi ce              D\n          o          t o             V\n       lec       Au\n    Te\n  Source: The Modernization and Information Technology Services organization.\n\nThis review was performed in Modernization and Information Technology Services (MITS)\norganization offices at the IRS National Headquarters in New Carrollton, Maryland, during the\nperiod August 2006 through April 2007. The audit was conducted in accordance with\nGovernment Auditing Standards. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                                                                                     Page 2\n\x0c                 Efforts to Update Aging Computer Hardware Are Underway, but\n                      Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                 Results of Review\n\nSeveral Actions Have Been Taken to Address the Aging Computer\nHardware Issue\nThe Internal Revenue Manual states the Chief Information Officer is responsible for managing\ninformation resources and technology and the IRS long-range objectives and strategies for\nimproving tax administration through modernizing the tax administration system. The Chief\nInformation Officer also has responsibility for strategic technology planning, data administration,\ntechnology standards, and the purchase of information technology products and services.\nThe IRS has initiated several actions to address the risks associated with the aging computer\nhardware issue. On September 28, 2006, it hired a contractor to develop a Sustaining\nInfrastructure Program, which is intended to provide a comprehensive approach to manage all\ninfrastructure requirements and establish a governance structure to prioritize competing\ninitiatives/activities (i.e., Infrastructure Roadmap, End of Life Equipment Replacement (Rust\nReplacement), and Security Infrastructure). The IRS is scheduled to complete implementation of\nthe Sustaining Infrastructure Program in Calendar Year 2008. Figure 2 contains a brief\ndescription of the different initiatives/activities.\n                        Figure 2: Infrastructure Initiatives/Activities\n\n          Initiative/Activity                                Description\n Infrastructure Roadmap               This initiative is intended to identify infrastructure\n                                      investment opportunities (including computer hardware)\n                                      with potential for significant return on investment or\n                                      savings, risk mitigation, service delivery improvements,\n                                      security, and compliance and to better align information\n                                      technology investments with business needs.\n End of Life Equipment                This activity is intended to fund the replacement of aging\n Replacement (Rust Replacement)       computer hardware components.\n Security Infrastructure              This initiative is intended to fund projects to enhance the\n                                      security of the information technology infrastructure.\nSource: The MITS organization.\n\nTo address the annual spending deficit for the aging computer hardware issue, the IRS planned to\naugment the current $45 million it was spending to sustain the hardware by reallocating an\nadditional $45 million in each of Fiscal Years 2006 through 2008 from savings it achieved\n                                                                                            Page 3\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\nthrough program efficiencies. The additional funding would result in a total increase of\n$135 million by Fiscal Year 2008 to achieve the spending goal of $180 million each year to\nmaintain and replenish the computer hardware. To address the backlog of aged hardware\ninventory, the IRS Fiscal Year 2008 Congressional Budget Submission requested an additional\n$60 million. The additional funds will also be requested in Fiscal Years 2009 through 2011, for\na total of $240 million over a 4-year period.\nThe IRS\xe2\x80\x99 commitment to improve the maintenance and replenishment of its computer hardware\nhas been demonstrated by the reallocation and expenditure of $362.8 million from Fiscal\nYear 2005 through March 8, 2007. This expenditure amount represents an increase of\n169 percent over the $135 million spent on aging computer hardware in the prior 3 fiscal years.\nIn addition, the Financial Management Services organization established a separate accounting\ncode in Fiscal Year 2007 to track funds spent to replace aging computer hardware. While the\nFinancial Management Services organization had previously tracked the expenditures by\nfunction (e.g., Enterprise Operations, Enterprise Networks), the funds allocated to address the\naging computer hardware issue were not uniquely identified in the Integrated Financial System.1\n\nInformation Used to Estimate the Size and Effect of the Aging\nComputer Hardware Could Be Improved\nThe Clinger-Cohen Act of 19962 requires each agency to ensure senior management is provided\nwith timely, verifiable data as one of the elements in maximizing the value and assessing and\nmanaging the risk of information technology acquisitions. To have a successful information\ntechnology investment management process, the agency must ensure management decisions are\nbased on complete and current information. In fact, informed management decisions can occur\nonly if accurate, reliable, and up-to-date information is part of the decision-making process.\nFigure 3 shows the IRS has reported it will need a total of $850 million from Fiscal Year 2006 to\nFiscal Year 2010 to replenish its aging computer equipment and prevent a significant risk to tax\nadministration due to computer equipment failure.\n\n\n\n\n1\n  The Integrated Financial System is intended to address administrative financial management weaknesses. The first\nrelease of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger,\nBudget Execution, Cost Management, and Financial Reporting activities. A future Integrated Financial System\nrelease will be needed to fully resolve all administrative financial management weaknesses.\n2\n  Federal Acquisition Reform Act of 1996 (Information Technology Management Reform Act of 1996),\nPub. L. No. 104-106, 110 Stat. 642 (codified in scattered sections of 5 U.S.C., 5 U.S.C. app., 10 U.S.C., 15 U.S.C.,\n16 U.S.C., 18 U.S.C., 22 U.S.C., 28 U.S.C., 29 U.S.C., 31 U.S.C., 38 U.S.C., 40 U.S.C., 41 U.S.C., 42 U.S.C.,\n44 U.S.C., 49 U.S.C., 50 U.S.C.).\n                                                                                                            Page 4\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\n                  Figure 3: Estimated Cumulative Replacement Cost\n                           of the Aged Computer Equipment\n\n                                  $1,000\n\n                                   $800\n                       Millions\n\n\n\n\n                                   $600\n\n                                   $400\n\n                                   $200\n\n                                     $0\n                                           2006   2007      2008       2009   2010\n                                                         Fiscal Year\n\n\n                    Source: The MITS organization.\n\nThe Information Technology Asset Management System is the primary control and official IRS\ncomputer equipment database used to record all computer inventories. In Fiscal Year 2005, the\nIRS analyzed Information Technology Asset Management System data to determine the size of\nthe aging computer hardware inventory and the estimated cost to adequately maintain and\nreplenish this hardware. At the beginning of Fiscal Year 2006, the aged hardware was estimated\nto be valued at $276 million, with an additional $161 million in hardware becoming aged during\nFiscal Year 2006.\n\nThe IRS hired a contractor to review the inventory data\nDue to continuing concerns about the aging computer equipment, the IRS hired a contractor to\nassist in developing a Sustaining Infrastructure Program to manage the prioritization of hardware\nand software upgrades and replacements. On November 29, 2006, the contractor delivered its\ninitial inventory data assessment, including an assessment of the quality and validity of data\ncontained in the Information Technology Asset Management System and other asset\nmanagement tools and data sources. On December 15, 2006, the contractor delivered the results\nof its asset inventory review, including a comparison of the IRS asset inventory to industry best\npractices and the Government Accountability Office Information Technology Investment\nManagement maturity model. The contractor also recommended process improvements.\nSpecifically, the contractor reported:\n   \xe2\x80\xa2   Workstation data in the Information Technology Asset Management System are largely\n       accurate and complete; however, this System is not sufficiently accurate or complete for\n       other information technology asset categories.\n\n\n\n                                                                                          Page 5\n\x0c                  Efforts to Update Aging Computer Hardware Are Underway, but\n                       Program Improvements Are Needed to Minimize Risks\n\n\n\n    \xe2\x80\xa2   Make and model information appears to be accurate but is not sufficient to determine\n        replacement cost.\n    \xe2\x80\xa2   The inventory tracking system does not contain the asset owner, location of the asset, and\n        configuration management information needed to support investment decisions.\nTherefore, the contractor concluded the MITS organization\xe2\x80\x99s inventory tracking system does not\nprovide the information required to support optimal inventory investment decisions. The\ncontractor also reported that inefficiencies in the Information Technology Asset Management\nSystem affect the infrastructure investment process because estimates for infrastructure\nreplacement cost may not be accurate and it will be difficult to determine funding requirements\nfor implementation of infrastructure standards.\nOur review of the Information Technology Asset Management System identified similar issues.\nFor example, management provided us information showing that in Fiscal Year 2005\n123 computer servers were purchased for $12.7 million (included $7.9 million for aged computer\nhardware), including 8 Sun Microsystems Inc. Sun Fire E25K servers. However, the\nDecember 2006 Information Technology Asset Management System reports listed only five of\nthe servers.\nManagement recognizes the problems with the Information Technology Asset Management\nSystem and advised that corrective actions have been initiated. For example, the IRS is\nimplementing an automated device discovery tool to help identify information technology assets\nthat may not be in the Information Technology Asset Management System and to facilitate the\nreconciliation of missing or inaccurate data. This effort is also examining the processes used to\nmaintain the data in the System to identify and implement improvements.\n\nThe IRS needs to improve and update documentation supporting the aging computer\nhardware concerns\nAs part of our audit work, we attempted to obtain documentation supporting various\npresentations to the IRS Oversight Board3 and the Office and Management and Budget that\nshowed the extent of infrastructure problems and their effects on operations. We compared\nseveral sources of information and found the following issues in the information reviewed.\n    \xe2\x80\xa2   Management provided us with a spreadsheet showing the IRS needs to spend an\n        estimated $180 million annually to adequately maintain and replenish its computer\n        hardware. However, management was unable to provide documentation supporting the\n        replacement costs. Our review of the spreadsheet information indicates the estimated\n        cost to maintain and replenish the computer hardware needs to be updated. For example,\n        the spreadsheet shows the Enterprise Operations organization had 64 servers over 5 years\n\n\n3\n The IRS Oversight Board is an independent body charged to provide the IRS with long-term guidance and\ndirection.\n                                                                                                         Page 6\n\x0c            Efforts to Update Aging Computer Hardware Are Underway, but\n                 Program Improvements Are Needed to Minimize Risks\n\n\n\n    old with a replacement cost of $22.4 million. However, another spreadsheet provided by\n    management indicates that 123 servers were purchased in Fiscal Year 2005 for\n    $12.7 million (included $7.9 million for aged computer hardware) resulting in no backlog\n    of aged servers at the beginning of Fiscal Year 2006. Therefore, the IRS spent only\n    35 percent ($7.9 million/$22.4 million) of the original estimate to eliminate the aged\n    server hardware by the beginning of Fiscal Year 2006. Reliance on the Fiscal Year 2005\n    information could result in erroneous conclusions about the aged computer hardware\n    issue.\n\xe2\x80\xa2   During a Fiscal Year 2007 budget briefing for its Oversight Board, the IRS stated the\n    aging computer hardware issue is placing an increased burden on business operations. It\n    stated that overall information technology problems reported to the IRS help desk\n    increased 12 percent between Fiscal Years 2004 and 2005 (from 80,000 per month to\n    90,000 per month). Figure 4 provides a summary of the information technology\n    problems reported to the IRS help desk.\n\n\n\n\n                                                                                     Page 7\n\x0c                    Efforts to Update Aging Computer Hardware Are Underway, but\n                         Program Improvements Are Needed to Minimize Risks\n\n\n\n           Figure 4: Summary of Information Technology Problems Reported\n                                to the IRS Help Desk\n            Category                Number of         Number of        Percentage      Number of        Percentage\n                                     Problem           Problem          Increase        Problem          Increase\n                                     Tickets in        Tickets in      (Decrease)       Tickets in      (Decrease)\n                                    Fiscal Year       Fiscal Year                      Fiscal Year\n                                       2004              2005                             2006\n Get-It Problem Tickets \xe2\x80\x93 Used for requesting new information technology products and services.\n     Get-It \xe2\x80\x93 Subtotals                  105,039             99,494         (5.28%)          82,813        (16.77%)\n Fix-It Tickets \xe2\x80\x93 Used for reporting problems with existing hardware and software.\n     Communications                       13,852             13,713         (1.00%)          12,307        (10.25%)\n     Customer Request4                   525,457           618,4485         17.70%          612,790         (0.91%)\n     Hardware                            115,652            124,347          7.52%          141,709         13.96%\n     Software                            203,669            219,839          7.94%          241,315              9.77%\n     Combined Categories6                    148                315        112.84%              595         88.89%\n     Fix-It \xe2\x80\x93 Subtotals                  858,778            976,662         13.73%        1,008,716              3.28%\n Totals                                  963,817          1,076,156         11.66%        1,091,529              1.43%\n                                      (80,318 per        (89,680 per                     (90,960 per\n                                          month)             month)                          month)\nSource: The MITS organization.\n\n          Our review of a report summarizing the approximately 1 million information technology\n          problems/requests reported in Fiscal Year 2005 confirmed the IRS has experienced about\n          a 12 percent increase in the number of problem tickets submitted by employees.\n          However, we also determined 45 percent (438,274/976,662) of the Fix-It problem tickets\n          were categorized as Customer Requests (i.e., password or password management policy\n          subcategory requests) that do not appear to have been caused by the aged infrastructure.\n          Some of the other problem ticket categories (including Communications \xe2\x80\x93 Data,\n          Communications \xe2\x80\x93 Voice, Hardware \xe2\x80\x93 Desktop, Hardware \xe2\x80\x93 Laptop, and\n          Hardware \xe2\x80\x93 Printer) could be related to the aging hardware, but the documentation on the\n          problem tickets is not sufficient to determine the cause of the problem. Although the\n          number of reported information technology problems is increasing, the MITS\n          organization is unable to readily link these problems to aging computer hardware.\n\n\n 4\n   Subcategories include password, password policy, information, and other.\n 5\n   The password and password policy subcategories totaled 438,274 problem tickets.\n 6\n   The number of problem tickets includes several categories: Enterprise Service Desk Transfer, File Tracking,\n Inventory Discrepancy, and System Acceptability Testing Software Testing.\n                                                                                                            Page 8\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n    \xe2\x80\xa2   Finally, in September 2005 in support of the Fiscal Year 2007 budget request, the IRS\n        budget presentation included a page entitled Outdated and Vulnerable Information\n        Technology Infrastructure Has a Negative Impact on Enforcement Revenue that reported\n        the following items to the Office of Management and Budget:\n        > In Fiscal Year 2004, the IRS Collection program reported it lost more than\n          70 revenue officer full-time equivalent7 staff years due to computer downtime at a\n          cost of roughly $70 million in uncollected tax revenue.\n             Our review of the calculation of the uncollected tax revenue determined the\n             Collection function uses a specific code in the employee timekeeping system to\n             record computer downtime resulting in an employee being unable to perform\n             assigned duties. However, the time code does not indicate whether the computer\n             downtime was caused by aged computer equipment. Employees that do not use the\n             specific time code to report computer downtime are interviewed to determine the\n             amount of downtime. Therefore, the computer-related downtime is an estimate, and\n             no analysis was performed to determine whether it was caused by aging computer\n             equipment.\n        > In Calendar Year 2005, the Small Business/Self-Employed Division Examination\n          program reported it lost 37 revenue agent full-time equivalent staff years and 20 tax\n          compliance officer full-time equivalent staff years due to computer downtime, costing\n          roughly $37 million in unassessed tax revenue.\n             Our review of the calculation of the lost staff years determined the Examination\n             program estimated the computer downtime by talking to affected employees and\n             using a general code in the employee timekeeping system. However, the time code is\n             also used to record several other types of time (e.g., Combined Federal Campaign,\n             workload reviews). Therefore, the computer-related downtime in this category is an\n             estimate, and no analysis was performed to determine whether it was caused by aging\n             computer equipment.\n        > In Calendar Year 2004, the SASSER worm8 attack on IRS computer systems cost\n          more than $50 million in uncollected or unassessed tax revenues because delayed\n          upgrades from Windows NT software left the IRS open to attacks by computer\n          viruses. Management explained that, if the hardware had been updated, the operating\n\n\n\n7\n  A measure of labor hours in which 1 full-time equivalent is equal to 8 hours multiplied by the number of\ncompensable days in a particular fiscal year. For Fiscal Year 2004, 1 full-time equivalent was equal to 2,096 staff\nhours.\n8\n  A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on\na network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating\nexcessive network traffic and causing infected systems to become unusable due to constant rebooting.\n                                                                                                           Page 9\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\n           system software would have also been updated and the IRS would not have been\n           affected by the SASSER worm.\n           Our review of the May 2, 2004, SASSER worm attack determined the IRS had not\n           applied a security patch that was available on April 14, 2004. The MITS organization\n           was notified numerous times from April 14, 2004, through May 2, 2004, by both the\n           Microsoft Corporation and the Mission Assurance and Security Services organization\n           to apply the security patch; however, the security patch was not applied consistently\n           to servers and was not applied to any workstations. Therefore, the problem was\n           caused by a software security patch issue, not delayed upgrades of aging computer\n           hardware or software, because the SASSER worm infected computers with various\n           Windows operating systems including Windows 2000, Windows XP, and\n           Windows 2003 server.\n           Because the IRS considered the effect of the SASSER worm to be related to aged\n           hardware and software, unreliable information supporting the Fiscal Year 2007\n           budget request was reported to the Office of Management and Budget (see\n           Appendix IV).\nAs a result, the IRS does not know the cost of replenishing the aged hardware because the\nestimated cost is not timely updated. It also does not know the actual amount of uncollected or\nunassessed tax resulting from the aging computer hardware because the information technology\nproblem tickets do not track the root cause of problems and uncollected and unassessed taxes are\nbased on estimates.\nWhile there is risk associated with the aging computer hardware, the data provided by the IRS\nshould be improved to provide more complete and accurate management information related to\nthe negative impact the aging infrastructure is having on tax administration. Therefore,\nmanagement needs to improve its information systems and data collection methodology to help\nsupport the need for new equipment.\n\nRecommendations\nRecommendation 1: The Chief Information Officer should implement procedures to improve\nthe accuracy and completeness of the inventory data on the Information Technology Asset\nManagement System and periodically prepare an updated aged computer hardware estimate,\nincluding current replacement cost, based upon reliable and current information.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation.\n       They will identify discrepancies in the Information Technology Asset Management\n       System inventory data for correction by the appropriate asset owner and will develop\n       processes to improve and maintain the accuracy of the data in the Information\n       Technology Asset Management System. A process will be implemented to produce\n\n\n                                                                                        Page 10\n\x0c               Efforts to Update Aging Computer Hardware Are Underway, but\n                    Program Improvements Are Needed to Minimize Risks\n\n\n\n       quarterly estimates based on Information Technology Asset Management System data\n       along with current estimates of the replacement costs.\nRecommendation 2: The Chief Information Officer should improve the integration of\nasset/inventory management with incident and problem management so problems related to old\ncomputer hardware issues can be readily identified and the IRS can report a more accurate\nassessment of the negative impact of aging computer hardware.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will develop a business case for using a software tool to improve the integration of\n       asset/inventory management with incident and problem management. The business case\n       will be presented to the appropriate MITS Governance Board for investment\n       consideration and prioritization.\n       Office of Audit Comment: In the IRS response to the draft report, management\n       provided several comments that make incorrect inferences. Our reasons for disagreeing\n       with each of these comments are summarized below and after other recommendations\n       within the report.\n          \xe2\x80\xa2   The Chief Information Officer commented that we did not accomplish the\n              Engagement Letter objective to assess the current aging infrastructure\n              environment because we did not independently validate the size or cost of the\n              aged computer hardware issue. The audit report presents the results of our\n              assessment of several areas of the aging infrastructure environment, including the\n              information used to estimate the size and effect of the aging computer hardware,\n              program funding, investment management governance, and performance\n              measures.\n          \xe2\x80\xa2   The Chief Information Officer asserted that the IRS knows the size of the aged\n              information technology hardware problem and the audit team does not provide a\n              position on which part of the estimate is valid and/or invalid. The IRS provided\n              us with a spreadsheet showing it needs to spend an estimated $180 million\n              annually to adequately maintain and replenish its computer hardware. Our review\n              of the spreadsheet determined the information is not current. For example, we\n              reported the IRS spent only 35 percent of its original estimate to eliminate the\n              aged server hardware by the beginning of Fiscal Year 2006 (see page 6). The\n              significance of the difference between the actual cost to replace the servers and\n              the estimate in the spreadsheet raises a question about the accuracy of the\n              estimates for the other asset categories. Therefore, the cost to maintain the\n              infrastructure may be significantly lower than the IRS estimate of $180 million\n              annually.\n          \xe2\x80\xa2   The Chief Information Officer disagreed with any inference that the aged\n              infrastructure is not a significant cause of information technology-related\n\n                                                                                            Page 11\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n                  problems. The report does not state the aged infrastructure is not a problem;\n                  rather, it states the IRS could not quantify the problem and inaccurate information\n                  was reported externally.\n             \xe2\x80\xa2    Chief Information Officer stated that the accuracy of the information related to the\n                  \xe2\x80\x9croot cause\xe2\x80\x9d of the SASSER Worm is not an essential factor of the audit and is\n                  therefore a peripheral issue. The IRS advised the Office of Management and\n                  Budget that delayed software upgrades due to the aged infrastructure issue cost\n                  more than $50 million in uncollected or unassessed tax revenues. Our point was\n                  that this information is not correct. The problem was the IRS did not apply a\n                  security patch that has nothing to do with the aged infrastructure issue.\n\nPermanent Program Funding Remains Uncertain\nOffice of Management and Budget Circular A-11, Preparation, Submission, and Execution of the\nBudget, requires agencies to use long-range planning and a disciplined, integrated budget process\nas the basis for managing information technology investments to achieve performance goals with\nthe lowest costs and least risk. As part of its long-range planning to address the aging computer\nhardware issue, on May 23, 2006, the IRS advised its Oversight Board that it would augment the\ncurrent $45 million it was spending by reallocating an additional $45 million achieved through\nprogram efficiencies in each of Fiscal Years 2006 through 2008. The IRS reported in the Fiscal\nYear 2008 Congressional Budget Submission it had identified efficiencies in the Fiscal\nYear 2006 information technology budget that permitted the permanent reallocation of\n$45 million to address the aging computer hardware issue.\nOur review of the Fiscal Year 2006 funds permanently reallocated to the computer hardware\nbudget found the IRS was able to permanently reallocate only $34 million instead of the reported\n$45 million. The IRS did exceed its Fiscal Year 2006 target computer hardware budget, but this\nwas accomplished by identifying other one-time funding sources such as a labor surplus. On\nJune 18, 2007, IRS management advised us they had permanently transferred $11 million of the\nFiscal Year 2007 MITS organization budget to the computer hardware budget. Therefore, IRS\nmanagement completed the first of its 3 permanent reallocations of $45 million to the computer\nhardware budget.\nIn Fiscal Year 2007 (the second of 3 planned permanent reallocations), the IRS is using\n$45 million in user fees9 and enrolled agent fees10 to fund additional computer hardware needs.\nRealigning user fees to address computer hardware needs does not constitute a permanent\nincrease in base computer hardware funding because user fee funds require annual reallocation.\n\n\n9\n  User fees are charges individuals and businesses are required to pay for services such as installment agreements\nand photocopies.\n10\n   An enrolled agent is a person who has earned the privilege of representing taxpayers before the IRS. Enrolled\nagents pay fees for a test (if applicable) and program enrollment.\n                                                                                                            Page 12\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\nTherefore, the IRS will not meet its goal of reinvesting an additional $45 million each year from\ninformation technology efficiencies beginning in Fiscal Year 2006 to achieve the annual\nspending amount of $180 million by Fiscal Year 2008 to maintain and replenish the aging\ncomputer hardware.\nAlthough the IRS considers the need to obtain increased resources to reverse the erosion of its\nbasic computer hardware as one of its highest budget priorities and has requested an additional\n$240 million from Congress over a 4-year period beginning in Fiscal Year 2008, it has not\npermanently reallocated the necessary funding into the MITS organization\xe2\x80\x99s base budget for\ncomputer hardware replacement to adequately maintain and replenish its hardware. The funds\nwere not permanently reallocated to increase computer hardware funding because they were used\nto absorb reductions to the Fiscal Year 2007 budget. Until funds are permanently reallocated to\nthe computer hardware budget, the ability to adequately maintain and replenish the old hardware\nwill remain uncertain, thereby increasing the risk of disruptions to operations and the risk of\npotential uncollected or unassessed tax revenues.\n\nRecommendation\nRecommendation 3: The Chief Information Officer should permanently allocate the\nnecessary funds within the MITS organization budget to maintain and replenish the aging\ncomputer hardware.\n       Management\xe2\x80\x99s Response: IRS management disagreed with this recommendation\n       because the Chief Information Officer cannot commit to permanently allocating funds in\n       future years without fully understanding tax administration requirements and budget\n       constraints. However, the IRS agreed that sustaining the information technology\n       infrastructure is one of its highest priorities; it will realign the base budget whenever\n       appropriate, subject to availability.\n       Office of Audit Comment: We disagree and believe the Chief Information Officer\n       should honor the commitment made to the IRS Oversight Board on May 23, 2006, that\n       the IRS would augment the current $45 million being spent on infrastructure by\n       reallocating an additional $45 million from program efficiencies achieved in each of\n       Fiscal Years 2006 through 2008. In addition, the IRS reported in the Fiscal Year 2008\n       Congressional Budget Submission it had identified efficiencies in the Fiscal Year 2006\n       information technology budget that permitted the permanent reallocation of $45 million\n       to address the aging computer hardware issue. However, our review of the Fiscal Year\n       2006 funds permanently reallocated to the computer hardware budget found the IRS was\n       able to permanently reallocate only $34 million instead of the reported $45 million.\n\n\n\n\n                                                                                          Page 13\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n         We also disagree with the Chief Information Officer\xe2\x80\x99s comment that we interpreted the\n         IRS\xe2\x80\x99 goal to realign the MITS organization base budget as a requirement. We\n         consistently discuss the realignment of funds to the infrastructure budget as a goal.\n\nA Disciplined Investment Management Governance Process Is\nNeeded for All Infrastructure Initiatives/Activities\nThe Clinger-Cohen Act of 1996 requires agencies to use a disciplined capital planning and\ninvestment control process to maximize the value of information technology investments and\nmanage the acquisition risk. The capital planning and investment control process is a\ndecision-making process for ensuring information technology investments integrate strategic\nplanning, budgeting, procurement, and management of information technology in support of the\nagency\xe2\x80\x99s mission and business needs. When evaluating information technology investments, the\nagency should conduct the review from an enterprisewide perspective to use information\ntechnology to drive strategic business change.\nThe IRS\xe2\x80\x99 Capital Planning and Investment Control process for managing information technology\nprojects includes an executive governance process for monitoring projects. The process includes\nthe MITS Enterprise Governance Committee11 and executive steering committees responsible for\nspecific projects. Specifically, the Infrastructure Executive Steering Committee was established\nto ensure the successful implementation and integration of modernization projects and related\nprogram activities for the Infrastructure portfolio. Major projects with costs of more than\n$5 million each year or more than $50 million in total life cycle costs are to be governed by the\nexecutive governance process.\nOur review of the End of Life Equipment Replacement activity\ndetermined the MITS organization has not included                                     With all infrastructure\nexpenditures from this activity as part of its investment                               initiatives/activities\ngovernance process. The Enterprise Operations organization                          following the established\n                                                                                      executive governance\nhas 12 ongoing Rust Replacement projects; it received more                             process, the IRS can\nthan $20 million in Fiscal Year 2005 and more than $39 million                      assure proper equipment\nin Fiscal Year 2006 to replace aging computer hardware.                             expenditure prioritization\nTherefore, the End of Life Equipment Replacement activity                           and the most efficient use\nwould qualify under the IRS information technology investment                        of available resources.\ncontrol process as a major project warranting executive steering\ncommittee governance.\n\n\n\n11\n  The highest level recommending and decision-making body to oversee and enhance enterprise management of\ninformation systems and technology. It ensures strategic modernization and information technology program\ninvestments, goals, and activities are aligned with and support 1) the business needs across the enterprise and 2) the\nmodernized vision of the IRS.\n                                                                                                             Page 14\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\nAlthough the Infrastructure Executive Steering Committee is designated as the decision-making\nbody responsible for successful implementation and integration of all infrastructure\ninitiatives/activities, the End of Life Equipment Replacement activity does not report to the\nInfrastructure Executive Steering Committee for oversight and follows a formalized investment\ndecision process when requesting funds for individual projects. For this activity, each MITS\norganization identifies its equipment needs and related projects and submits these funding needs\nto MITS organization executives for review, approval, prioritization, and funding. As a result,\nthe ad hoc investment management process is particularly apparent at the end of a fiscal year\nwhen additional funds become available. The Enterprise Operations organization received its\nFiscal Year 2006 funding for the End of Life Equipment Replacement activity at the end of\nFiscal Year 2006. In addition, because the End of Life Equipment Replacement activity is not\nconsidered an information technology investment project, it is not reflected in the IRS Enterprise\nTransition Plan, which is a key IRS modernization document that facilitates a strategic\ninvestment decision-making process from an enterprisewide perspective.\nWithout a disciplined investment management decision-making and governance process that\nevaluates information technology investments from an enterprisewide perspective, the IRS may\nnot assure the proper prioritization of projects to ensure investment decisions result in the most\nefficient use of available resources to address the aging computer hardware issue. The\nimplementation of a disciplined investment management process will become even more critical\nby Fiscal Year 2008 when the IRS may have $240 million ($180 in the aged computer hardware\nbudget and $60 million in additional budgeted funds) to spend on maintaining and replenishing\nthe aged computer hardware.\nMITS organization management advised us that several actions have been taken to improve the\ndiscipline of the governance process over infrastructure investments. For example, an\nengineering review was conducted on the approved Fiscal Year 2007 funding requests, which\nwere then ranked and prioritized using a structured process and scoring criteria and submitted to\nthe MITS Enterprise Governance Committee for final review. In addition, the Infrastructure\nExecutive Steering Committee and the MITS Enterprise Governance Committee will be\nresponsible for future governance of the Sustaining Infrastructure Program.\n\nRecommendation\nRecommendation 4: The Chief Information Officer should ensure the End of Life Equipment\nReplacement activity is included in the Infrastructure Executive Steering Committee governance\nprocess.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will implement a governance model that includes oversight from the Infrastructure\n       Executive Steering Committee.\n\n\n\n                                                                                           Page 15\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n        Office of Audit Comment: The Chief Information Officer disagreed that\n        improvements in the 2007 investment process did not help the IRS successfully identify\n        the highest priority infrastructure investments. The audit report did not suggest this. The\n        report states the investment process could be further improved by ensuring the End of\n        Life Equipment Replacement activity was reporting to an executive steering committee.\n        Based on the amount of money being spent on the activity, the established MITS\n        organization governance process for information technology investments should be\n        followed to ensure all business units are involved in and aware of the prioritization. In\n        addition, some of the improvements mentioned in the IRS response are discussed on\n        page 15 of the report.\n\nPerformance Measures Are Needed to Assess the Success of Efforts\nto Address the Aging Computer Hardware Issue\nThe Government Performance and Results Act of 199312 was enacted by Congress to hold\nFederal Government agencies accountable for achieving business results by requiring agencies to\nadopt performance measures and set goals to assess performance. The Clinger-Cohen Act of\n1996 specified that the agency Chief Information Officer is responsible for monitoring the\nperformance of the agency\xe2\x80\x99s information technology programs; evaluating the performance of\nthose programs on the basis of applicable performance measures; and advising the agency head\nregarding whether to continue, modify, or terminate the program or project. To comply with the\nClinger-Cohen Act of 1996 and Office of Management and Budget guidelines, each agency\xe2\x80\x99s\ninformation technology investment planning process must include periodic evaluations of project\nperformance as measured against predefined outcome goals to assess how well information\ntechnology investments improve the efficiency and effectiveness of the agency\xe2\x80\x99s operations.\nThe MITS organization uses the Business Process Management System for reporting measures\non asset management, customer satisfaction, incident management, and the enterprise service\ndesk. The contractor assisting the IRS in developing its Sustaining Infrastructure Program has\nbeen assigned the task of formalizing a performance measurement process for the overall\nSustaining Infrastructure Program and the individual initiatives/activities. The contractor has\nprovided some preliminary portfolio metrics, and the metrics will be refined and finalized at the\ntime the Implementation Plan is completed. The draft Implementation Plan was delivered to the\nIRS in April 2007 and is currently under review.\nOnce these performance measures are developed, the IRS will be able to assess whether current\nefforts to address the aging computer hardware problem are meeting expectations and achieving\nanticipated business results. Management advised us that performance measures have not been\nestablished because the IRS is focusing its efforts on identifying and addressing the highest\n\n\n12\n  Pub. L. No. 103-62, 107 Stat. 285 (codified as amended in scattered sections of 5 U.S.C., 31 U.S.C., and\n39 U.S.C.).\n                                                                                                             Page 16\n\x0c               Efforts to Update Aging Computer Hardware Are Underway, but\n                    Program Improvements Are Needed to Minimize Risks\n\n\n\npriority aged computer hardware needs and has not developed measures to assess its\neffectiveness. Management also advised us that once the Sustaining Infrastructure Program is\nimplemented the MITS organization will have a process in place to assess its efforts in\naddressing the aging computer hardware problem.\n\nRecommendation\nRecommendation 5: The Chief Information Officer should ensure a performance\nmeasurement process providing periodic monitoring and reporting of Sustaining Infrastructure\nProgram accomplishments is established for current and future efforts to address the aging\ncomputer hardware issue.\n       Management\xe2\x80\x99s Response: IRS management agreed with this recommendation and\n       will implement outcome measures and a monitoring process to report on the IRS\xe2\x80\x99\n       progress in reducing its aged asset inventory.\n       Office of Audit Comment: The Chief Information Officer commented it is not\n       accurate to infer that the IRS has not developed such metrics; specifically, the IRS has\n       developed measures for asset management. We reported on page 16 of this report that the\n       MITS organization uses the Business Process Management System for reporting\n       measures on asset management, customer satisfaction, incident management, and the\n       enterprise service desk. The report clearly states the issue is that performance measures\n       are needed for the Sustaining Infrastructure Program and states a contractor is in the\n       process of developing the measures.\n\n\n\n\n                                                                                        Page 17\n\x0c                Efforts to Update Aging Computer Hardware Are Underway, but\n                     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                                                    Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nThe overall objective of this audit was to determine whether the IRS implemented effective\ncontrols to identify and replace aging equipment components that could adversely affect its\nability to meet its mission if the equipment components were to fail. To accomplish this\nobjective, we:\nI.     Assessed the current aging infrastructure environment.\n       A. Reviewed the results of studies establishing the current size and expected growth of\n          the aging infrastructure, actual and potential financial effects from use of the outdated\n          equipment (e.g., increased maintenance costs, loss of revenue), and the estimated IRS\n          funding necessary to maintain and replace the aging infrastructure.\n       B. Reviewed other presentations made by the IRS to communicate the severity of the\n          aging infrastructure problem and its effect on expenditures and revenues.\n       C. Identified the measures taken by the IRS to validate the reported severity of the aging\n          infrastructure problem and the estimated costs to replace outdated equipment.\n       D. Reviewed documentation supporting key elements of the aging infrastructure problem\n          to justify funding the program (e.g., size of the aging inventory, loss of revenue,\n          replacement costs).\n       E. Obtained infrastructure aging reports from the Information Technology Asset\n          Management System to determine the information available to assess the reported\n          aging infrastructure inventory. We interviewed IRS management to determine\n          whether infrastructure aging information is entered into the Information Technology\n          Asset Management System. Also, we determined whether IRS management uses the\n          reports to monitor the aging infrastructure.\nII.    Determined the effectiveness of the infrastructure governance process.\n       A. Interviewed Enterprise Services organization and Enterprise Operations organization\n          personnel to determine the governance structure and investment decision-making\n          process for the sustaining infrastructure program and individual initiatives.\n       B. Reviewed documentation describing the governance structure and investment\n          decision-making process (e.g., project identification, prioritization, approval,\n          monitoring).\n\n\n                                                                                             Page 18\n\x0c               Efforts to Update Aging Computer Hardware Are Underway, but\n                    Program Improvements Are Needed to Minimize Risks\n\n\n\n       C. Reviewed the meeting minutes of the governance bodies (e.g., executive steering\n          committees, investment review boards) over the sustaining infrastructure program and\n          individual initiatives.\nIII.   Determined the status of the sustaining infrastructure program and individual initiatives.\n       A. Interviewed Enterprise Services organization and Enterprise Operations organization\n          personnel to discuss the aging infrastructure problem and the status of the overall\n          program and individual initiatives (e.g., Rust Replacement, Infrastructure Roadmap)\n          established to reduce the risks.\n       B. Reviewed project documentation for the sustaining infrastructure program, including\n          the current project schedule, key milestones, and planned completion dates.\n       C. Reviewed status reports for the sustaining infrastructure program and the individual\n          initiatives.\n       D. Identified the performance measures established to assess the effectiveness of the\n          program and to support program-level analysis and status reporting.\n       E. Identified the processes for gathering the data to accurately measure and report\n          program performance.\n       F. Identified planned funding for the Sustaining Infrastructure Program and individual\n          initiatives for Fiscal Years 2005 through 2009, including actual expenditures through\n          Fiscal Year 2006.\nData Validity and Reliability\n       We used computer-processed data to review the inventory and cost of the aged computer\n       hardware, the information technology problem tickets, and the amount of funds spent on\n       the aged computer hardware. The IRS hired a contractor to perform an asset inventory\n       review, and the contractor concluded the MITS organization\xe2\x80\x99s inventory tracking system\n       does not provide the information required to support optimal inventory investment\n       decisions. Based on interviews and our review of Information Technology Asset\n       Management System data, we also concluded the information could be improved.\n       Therefore, we used IRS-provided information during the audit and did not independently\n       validate the size or cost of the aged computer hardware issue.\n       The IRS uses the reporting and tracking tool within the Information Technology Asset\n       Management System to control its problem tickets and reported it had more than\n       1 million information technology problem ticket requests in Fiscal Year 2005. It\n       provided us with a summary report of the problem tickets, by category, totaling more\n       than 1 million tickets. An IRS employee advised us the problem ticket data are a unique\n       and computer-generated assessment based upon specific and applied criteria and the data\n       provided to us were validated for accuracy. We checked the reasonableness of the\n\n                                                                                          Page 19\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n        information in the summary report by comparing it to the number of tickets the IRS had\n        previously reported. The data appeared to be reasonably accurate for the purposes of this\n        audit, and we performed no additional data validity tests.\n        The IRS provided data from the Integrated Financial System1 for Fiscal Years 2005\n        through 2007 regarding funding amounts for aged computer hardware. We relied\n        on the Government Accountability Office\xe2\x80\x99s assessment of the reliability of the\n        computer-processed data from the Integrated Financial System. During a review of the\n        IRS\xe2\x80\x99 financial statements,2 the Government Accountability Office concluded the expense\n        and reimbursable revenue information processed through the Integrated Financial System\n        for Fiscal Years 2005 and 2006 was reliable in all material respects.\n\n\n\n\n1\n  The Integrated Financial System is intended to address administrative financial management weaknesses. The first\nrelease of the Integrated Financial System will include the Accounts Payable, Accounts Receivable, General Ledger,\nBudget Execution, Cost Management, and Financial Reporting activities. A future Integrated Financial System\nrelease will be needed to fully resolve all administrative financial management weaknesses.\n2\n  Financial Audit: IRS\xe2\x80\x99s Fiscal Years 2006 and 2005 Financial Statements (GAO-07-136, dated November 2006).\n                                                                                                         Page 20\n\x0c               Efforts to Update Aging Computer Hardware Are Underway, but\n                    Program Improvements Are Needed to Minimize Risks\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nGary Hinkle, Director\nDanny Verneuille, Audit Manager\nVan Warmke, Lead Auditor\nGlen Rhoades, Senior Auditor\nBeverly Tamanaha, Senior Auditor\nTina Wong, Senior Auditor\nCharlene Elliston, Auditor\n\n\n\n\n                                                                                     Page 21\n\x0c              Efforts to Update Aging Computer Hardware Are Underway, but\n                   Program Improvements Are Needed to Minimize Risks\n\n\n\n                                                                          Appendix III\n\n                         Report Distribution List\n\nActing Commissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Acting Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Information Officer OS:CIO\nAssociate Chief Information Officer, End User Equipment and Services OS:CIO:EU\nAssociate Chief Information Officer, Enterprise Operations OS:CIO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CIO:ES\nAssociate Chief Information Officer, Management OS:CIO:M\nDirector, Stakeholder Management OS:CIO:SM\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Deputy Commissioner for Operations Support OS\n       Director, Program Oversight Office OS:CIO:SM:PO\n\n\n\n\n                                                                                 Page 22\n\x0c                   Efforts to Update Aging Computer Hardware Are Underway, but\n                        Program Improvements Are Needed to Minimize Risks\n\n\n\n                                                                                               Appendix IV\n\n                                      Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xe2\x80\xa2   Reliability of Information \xe2\x80\x93 Actual; $50 million incorrectly reported (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nIn support of the Fiscal Year 2007 budget request, the IRS reported in September 2005 to the\nOffice of Management and Budget that (1) delayed upgrades from Windows NT software left it\nopen to attacks by computer viruses and (2) the 2004 SASSER worm1 attack on its computer\nsystems cost more than $50 million in uncollected or unassessed tax revenues. Management\nexplained that, if the hardware had been updated, the operating system software would have also\nbeen updated and the IRS would not have been affected by the SASSER worm.\nOur review of the May 2, 2004, SASSER worm attack determined the IRS had not applied a\nsecurity patch that was available on April 14, 2004. The MITS organization was notified\nnumerous times from April 14, 2004, through May 2, 2004, by both the Microsoft Corporation\nand the Mission Assurance and Security Services organization to apply the patch; however, the\npatch was not applied consistently to servers and was not applied to any workstations.\nTherefore, the problem was caused by a software security patch issue, not delayed upgrades of\naging computer hardware or software, because the SASSER worm infected computers with\nvarious Windows operating systems including Windows 2000, Windows XP, and Windows 2003\nserver.\n\n\n\n\n1\n  A computer worm is a self-replicating computer program that sends copies of itself to other computer terminals on\na network. The SASSER worm exploited a feature (vulnerability) of the Microsoft operating system generating\nexcessive network traffic and causing infected systems to become unusable due to constant rebooting.\n                                                                                                          Page 23\n\x0c    Efforts to Update Aging Computer Hardware Are Underway, but\n         Program Improvements Are Needed to Minimize Risks\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 24\n\x0cEfforts to Update Aging Computer Hardware Are Underway, but\n     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                      Page 25\n\x0cEfforts to Update Aging Computer Hardware Are Underway, but\n     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                      Page 26\n\x0cEfforts to Update Aging Computer Hardware Are Underway, but\n     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                      Page 27\n\x0cEfforts to Update Aging Computer Hardware Are Underway, but\n     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                      Page 28\n\x0cEfforts to Update Aging Computer Hardware Are Underway, but\n     Program Improvements Are Needed to Minimize Risks\n\n\n\n\n                                                      Page 29\n\x0c'